Package: freeplane Version: 1.7.10-1 Tags: patch, security Dear Maintainer, the freeplane package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.
This Lintian tag is triggered: https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html See also grave bug #930908, which was recently closed because "a Lintian test already exists": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908 I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability. If you need more information let me know. Thanks, MNZ
diff --git a/debian/freeplane.mime b/debian/freeplane.mime index 77b493e..78a6b35 100644 --- a/debian/freeplane.mime +++ b/debian/freeplane.mime @@ -8,4 +8,4 @@ # magic, and so if both programs are installed, the correct program is used # for the correct magic (i.e. <map version="freeplane... vs <map>) in GNOME/KDE/Xfce! -application/x-freemind; /usr/bin/freeplane '%s'; test=test -n "$DISPLAY"; description="Freeplane/FreeMind MindMap file"; textualnewlines; nametemplate=%s.mm; priority=7 +application/x-freemind; /usr/bin/freeplane %s; test=test -n "$DISPLAY"; description="Freeplane/FreeMind MindMap file"; textualnewlines; nametemplate=%s.mm; priority=7